Healthcare is facing a security staffing crisis, HHS says

The dearth of information security skills in healthcare is so drastic that nearly three out of four hospitals do not have even a designated security person, according to an imminent report that the U.S. Department of Health and Human Services is planning to publish.

Calling it a consistently “strategic pitfall in the cybersecurity environment,” the Atlantic Council’s Director of the Cyber Statecraft Initiative Josh Corman said that healthcare is simply used to doing more with budgets that are smaller than what they need.

Corman is part of the HHS’ Health Care Industry Cybersecurity Task Force. Created by the Cybersecurity Information Sharing Act of 2015, the team is tasked with analyzing the state of healthcare security.

While the report won’t be released until later this month, Corman shared a few startling details with Healthcare IT News.

Across the board, all sectors are facing a shortage of cybersecurity talent, a recent Information Systems Audit and Control Association report found. More than a quarter of all businesses take six months to fill the security role. The reason? The majority of those applying aren’t qualified.

This statistic becomes even more untenable for hospitals in smaller, less desired areas that are forced to get creative when it comes to finding and retaining a designated security person.

Corman explained that these hospitals are already facing financial hardships, but also struggle to keep a security person on staff due to their location.

“The entire industry lacks a talent pool: there just aren’t enough chief information security officers on the planet to fill all of the needed positions,” Corman said. “And it’s just not affordable.”

Many of these hospitals are running at break-even budgets before adding any additional costs,” he said. “One security person just isn’t enough to defend against these highly-connected networks.”

In fact, small, medium and rural hospitals are often so strapped for funding that some organizations are lacking even a single IT person. And in some instances, nurse practitioners were designated as IT security officers.

“Some of these fill-in IT people were looking for a crash-course,” Corman explained. “Others had employees teaching themselves how to be in the position.”

Clever and collaborative hospital leaders, meanwhile, are even pooling resources with neighboring institutions to hire a security officer to share within the region or tapping into a virtual CISO who serves multiple health entities.

“There’s a pretty big delta between what we’d expect organizations to have in place and what we’re finding,” Corman added. “Large hospitals tend to have the staff, but we’re trying to determine a healthy ratio of security staff to the size of the organization.”